Beaconing Detection in Encrypted Traffic: A SCADA-Based Hybrid Approach Using Zeek Metadata and Isolation Forest

Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) infrastructures are critical control mechanisms that ensure the continuity of industrial processes. Late detection of cyberattacks in these systems can pose serious risks in terms of production losses, physical damage, and human safety. Early detection is particularly critical because covert communication based on Beacon (Command and Control) enables attackers to gain permanent access to the system and manipulate operational processes. In modern industrial networks where encrypted traffic is prevalent, there is a growing need for content-independent and low-cost detection mechanisms. This experimental study proposes a hybrid method that detects Beacon behavior using only connection metadata generated by Zeek. The method identifies low-jitter periodic flows with a CV ≤ 0.2 threshold by calculating the sequential time differences (∆t), average period (µ), standard deviation (σ) and coefficient of variation (CV) in source–destination–port-based connection groups. These features are fed into the Isolation Forest model. Additionally, the Long Short-Term Memory and Random Forest algorithms, frequently used in the literature, are included for comparative evaluation. Experiments conducted on legitimate and Beacon traffic generated in an isolated environment consistently identified low-jitter flows as anomalies in both CV analysis and the Isolation Forest model. Furthermore, the Isolation Forest achieved the highest accuracy at 94.59%. The results demonstrate that Beacon detection with high accuracy can be achieved using time-based metadata without the need for content inspection. This highlights the applicability of the method for real-time security monitoring in SCADA/ICS systems.